I have created a site with a login and register.It was working, but when I finished it something was very wrong, I can't login to the site.
I can register a new user and that is added in the mysql db but when I try to login the redirect does not work it will not goto the page index.php.
Can anyone look at this source because and see if you can find anything wrong.
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username&&$password)
{
$connect = mysql_connect("localhost","root","") or DIE ("Could not connect");
mysql_select_db("case") or die ("could not find db");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
header('location: index.php');
/*echo "Login successful. <a href='membersarea.php'>click her to enter members erea<a/>"; */
/*$_SESSION['username']=$dbusername; */
}
else
echo "Incorrect password";
}
else echo ("That username dows not exist");
}
else
die ("Please enter a username and password");
?>
Get rid of php closing tag ?> and whitespaces, html, blank lines before php opening tag <?php. Also check if there is no output before :
header("Location:");
Like print,var_dump, echo and so on. Also check your if condition, maybe you are just skipping it.
WARNING! you have an SQL injection ERROR. Try with:
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
Now, simplify your life:
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
Is it right?
if( mysql_num_rows($query) > 0 ) {
header('location: index.php');
}
At first sight, I notice this:
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword) {
The if is outside the loop. It will only be used against the last row.
If you only have one user, it should be working.
Related
I'm making a PHP login and it was working before, but I tried to make the username feature case insensitive and the code hasn't worked since. I deleted all of the stuff I added to try and make it case insensitive i.e.strtolower().All that displays on the page is "Please enter a username and password." but I have an html file that is supposed to pop up and dispay the login. Here is the code (I took out the personal database info in the mysql connect area):
<?php
session_start();
$username = $_POST["username"];
$password = $_POST["password"];
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
else
echo "Incorrect Password";
}
else
die("Username does not exist");
}
else
die("Please enter a username and password.");
?>
I have put mysql_real_escape_string() around your post values to prevent sql injection
Also mysqli is the latest way to connect to mysql database but i have not added that to your code:
session_start();
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login");
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
}
else {
echo "Incorrect Password";
}
}
This is the login php script, I don't get no errors or echos so I have no idea what's going on. The "*'s" is me censoring that info. If you would like to see the live page it is here.
<?php
printf("Client library version: %s\n", mysqli_get_client_info());
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
var_dump('test');
if (!empty($username) && !empty($password)){
echo $username
echo $password
$connect = mysql_connect("localhost", "atsbusin_atsbusin", "Andrew85") or die ("Failed to connect to DB");
mysql_select_db("atsbusin_users") or die ("failed to select DB");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows != 0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login Success!";
$_SESSION['username'] == $dbusername;
} else {
echo "Incorrect password!";
}
} else {
die("invalid username, check the spelling or register that name");
}
}
echo 'something'
?>
This is the final working code, thanks to all who helped! Now for me to switch over to mysqli and do the security measures suggested (have a feeling I'll be back ☺ )
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$connect = mysql_connect("localhost", "atsbusin_atsbusi", "Andrew85") or die ("Failed to connect to DB");
mysql_select_db("atsbusin_users") or die ("failed to select DB");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login Success!";
$_SESSION['username'] = $dbusername;
} else {
echo "Incorrect password!";
}
?>
The only way this wont echo anything and not give you an error is If the username exists and the password does not match So it will go through:
if($numrows != 0){
}
Try to put a var_dump('test'); in that IF statement and see if it does show something.
You also have no ; after the
$username = $_POST['username']
$password = $_POST['password']
change it to:
$username = $_POST['username'];
$password = $_POST['password'];
Some extra notes:
you probably want a else around: die("Do not leave username and/or password field blank");
Dont use mysql it will be deprecated as of PHP 5.5.0, and will be removed in the future.
You're wide open to MYSQL injection
EDIT:
It also wouldn't show an error or echo if you fill in the username and password and they both dont match
There are some php syntax errors in your script.
You have missed semicolons at below lines, update code and set display errors on to see if there is any other error
$username = $_POST['username'];
$password = $_POST['password'];
Your code has some syntax and logical errors.
1) You're missing ; when variable assigning.
$username = $_POST['username'];
$password = $_POST['password'];
2) You're not using && in your if() statement, but two $
if ($username == $dbusername && $password == $dbpassword) {
3) You're using a comparison (==) on your $_SESSION and not an assignment (=).
$_SESSION['username'] = $dbusername;
Notes
Check the password matches the one in the database on the query itself (after you encrypt it)
With your current logic, it suggests you store your passwords in plain text. This is a BIG NO-NO.
You're wide open to SQL injections
<?php
if(isset($_POST['login'])) {
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('db') or die("cannot select DB");
$pass = $_POST['pass'];
$user = $_POST['user'];
$encryptedpass = hash('whirlpool', $pass);
$query=mysql_query("SELECT * FROM players WHERE user='".$user."' AND pass='".$encryptedpass."'");
$numrows=mysql_num_rows($query);
echo("$encryptedpass");
if($numrows!=0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername=$row['user'];
$dbpassword=$row['pass'];
}
if($user == $dbusername && $encryptedpass == $dbpassword)
{
echo("logged in");
session_start();
$_SESSION['sess_user']=$user;
header("Location: settings.php");
} else
echo "Invalid username or password!";
}
}
?>
The hashing echo works as it should, how-ever even though the user & pass are correct it says invald password.... Help would be great!
EDIT: Thats weird... When I enter the wrong pass, invalid password echo doesnt show up... How odd
Not sure what the error is there, but the following (basically the same) works fine.
Make sure that your post values are actually being passed, and adding or die(mysql_error()) will tell you if you have any errors in your sql.
Also, you should escape your strings (if not using prepared statements)
if(isset($_POST['login'])) {
/* Do connection */
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$encrypted = hash('whirlpool', $pass);
$q = mysql_query("SELECT id FROM players WHERE user = '".$user."' AND pass = '".$encrypted."'",$server)or die(mysql_error());
if(mysql_num_rows($q)>0) {
/* Login approved */
$row = mysql_fetch_array($q);
print $row['id'];
}else{
/* Could not login */
}
}
I have a log in system where the user must log in to access the main website. However, the validation isn't working.
It's mainly the password function that isn't working. Any suggestions why?
<?php
session_start();
$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
if ($login&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE login='$login'");
$numrows = mysql_num_rows($query);
if ($numrows==!0)
{
//code to login
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['login'];
$dbpassword = $row['password'];
}
//check to see if they match
if($login==$dbusername&&$password==$password)
{
$_SESSION['login']=$username;
$_SESSION['password']=$password;
sleep(5);
header('Location: nindex.php');
die();
}
else
die ("incorrect password");
}
else
die("That user does not exist");
}
else
die("please provide a username and password");
?>
There are some problems in your code, try this
<?php
session_start();
$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
if ($login&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect");
mysql_select_db("a&e") or die("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE login='".$login."' AND password='".$password."'");
$numrows = mysql_num_rows($query);
if ($numrows > 0)
{
//code to login
header('Location: nindex.php');
die();
}
else
{
echo "incorrect username or password";
}
}
?>
I have noticed 4 things.
1) When you check to see if they match
you are comparing $password to $password instead of "$dbpassword"
2) Why do you call "sleep(5)" ?
3) You need to encrypt the password before storing to the database because if your site get hacked, your user passwords will eventually be in bad hands.
4) you should never store a password in a session variable (for security reasons)
Here is my code for some reason, it is always returning that the password is incorrect. I'm not sure if I just forgot a bracket somewhere, also how can I make it more secure because right now I'm using the _post function.
<?php
include 'config.php';
session_start();
session_destroy();
session_start();
$UserName = $_POST['UserName'];
$PassWord = $_POST['PassWord'];
if ($UserName&&$PassWord)
{
mysql_select_db("SegmentMath") or die ("Couldn't find database sorry.");
$query = mysql_query("SELECT * FROM Users WHERE UserName='$UserName'");
$numrows = mysql_num_rows($query);
if ($numrows!=0)
{
// code to login
while ($row = mysql_fetch_assoc($query))
{
$dbUserName = $row['UserName'];
$dbPassWord = $row['PassWord'];
}
//check to see if they match!
if ($UserName==$dbUsername&&$PassWord==$dbPassWord)
{
$_SESSION['UserName']=$dbUsername;
$_SESSION['PassWord']=$dbPassWord;
echo "<p>Finished Software</p>";
}
else
{
echo "Incorrect Password";
}
}
else die("Sorry username not found!");
}
else die("Please Enter A Valid Username And Password!");
?>
So I'm almost positive I'm doing something stupid wrong and it has had me stumped for almost 30 minutes. This file is just the login.php so basically if the user enters there username and password on the login.html page, it pushes that data to this page Login.Php.
I'm confused why it says incorrect password no matter what even if the login is correct and in the database.
I would say, it's better to use this, i mean create query which find the username and password
$login = mysql_query("SELECT * FROM users WHERE ID='". $UserName ."' AND PASSWORD='". md5($PassWord) ."');
$row=mysql_fetch_array($login); // fetch row
if($row!=null) // if found row
{
$_SESSION['UserName'] = $row['UserName']; // store in session
$_SESSION['PassWord'] = $row['PassWord'];
} %>
instead of
if (($UserName==$dbUsername)&&($PassWord==$dbPassWord))
{
$_SESSION['UserName']=$dbUsername;
$_SESSION['PassWord']=$dbPassWord;
echo "<p>Finished Software</p>";
}
You have a typo in your code. Variables in PHP are case-sensitive...
19. while ($row = mysql_fetch_assoc($query))
20. {
21. $dbUserName = $row['UserName'];
22. $dbPassWord = $row['PassWord'];
23. }
24.
25. //check to see if they match!
26. if ($UserName==$dbUsername&&$PassWord==$dbPassWord)
The variable on line 21 doesn't match that on line 26.
$dbUserName is not the same as $dbUsername
You are probably using some encryption when the password are stored. For example if you are using md5()(just an example, md5 is not the best for passwords) you should check this way:
if ($UserName == $dbUsername && md5($PassWord) == $dbPassWord)
{
if ($UserName==$dbUsername&&$PassWord==$dbPassWord)
{
$_SESSION['UserName']=$dbUsername;
$_SESSION['PassWord']=$dbPassWord;
echo "<p>Finished Software</p>";
}
else
{
echo "Incorrect Password";
}
1).it goes in else condition .. so can you echo these four $variables to me ?
2).remove spaces from the $_post with str_replace
if ($UserName==$dbUsername <= capitalize $dbUserName)
{
//YOUR LOGIC
}
I think you code it wrong way. You should not put session destroy after session start. First of all, let start the session by session_start();
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM table_name WHERE username = '$username'";
$result = mysql_query($query);
$count = mysql_num_rows($query);
$row = mysql_fetch_assoc($result);
if($count == 0)
{
//if there is no result
}
$dbpassword = $row['password'];
if($dbpassword == $password)
{
//put some session here
}
else
{
//if the password is not match
}
I hope this might help
You need to connect to the database first. Use mysql_connect()
Also note that this function is being depreciated and the use of mysqli is or PDO is recommended. There is a link to these in the link above.